Your message dated Sun, 02 Apr 2006 15:02:19 -0700 with message-id <[EMAIL PROTECTED]> and subject line Bug#349129: fixed in sudo 1.6.8p12-2 has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database)
--- Begin Message ---Package: sudo Version: 1.6.8p7-1.3 Severity: normal the new behaviour regarding env sanitising is not reflected in the sudoers or the sudo manpages and there is no news.debian file in the sarge package; one must read the security announcement very precisely to find out how to deal with the change. the sudo -V output is now misleading: it gives a very incomplete list of env vars that are removed. it is not clear how the change interacts with env_reset, _keep and _check; specifically one has to experiment to find out that the new change is not equivalent to env_reset (and that env_reset is not on by default). (i wonder why the new behaviour wasn't implemented in terms of defaulting to env_reset and a tightening of that list?) env_check, the currently suggested way of keeping vars does not work for things like XAUTHORITY or anything else that looks like a path. it is somewhat complicated to find out that env_keep is honored only if env_reset is on. the only way to keep something like XAUTHORITY is to use Defaults env_reset, env_keep+="XAUTHORITY" in sudoers. it would be really nice if there was some example in a news.debian (the example sudoers doesn't include anything related). it is absolutely unclear from the visudo manpage how the env_* options interact: precedence of _check vs _keep, _keep vs. _delete and so on. together with the undocumented new behaviour this has made adjusting to the new safer sudo harder than necessary, i think. regards az -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (980, 'testing'), (970, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.14 Locale: LANG=C, LC_CTYPE=de_AT (charmap=ISO-8859-1) Versions of packages sudo depends on: ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an ii libpam-modules 0.76-22 Pluggable Authentication Modules f ii libpam0g 0.76-22 Pluggable Authentication Modules l -- no debconf information
--- End Message ---
--- Begin Message ---Source: sudo Source-Version: 1.6.8p12-2 We believe that the bug you reported is fixed in the latest version of sudo, which is due to be installed in the Debian FTP archive: sudo-ldap_1.6.8p12-2_i386.deb to pool/main/s/sudo/sudo-ldap_1.6.8p12-2_i386.deb sudo_1.6.8p12-2.diff.gz to pool/main/s/sudo/sudo_1.6.8p12-2.diff.gz sudo_1.6.8p12-2.dsc to pool/main/s/sudo/sudo_1.6.8p12-2.dsc sudo_1.6.8p12-2_i386.deb to pool/main/s/sudo/sudo_1.6.8p12-2_i386.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Bdale Garbee <[EMAIL PROTECTED]> (supplier of updated sudo package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Sun, 2 Apr 2006 14:26:20 -0700 Source: sudo Binary: sudo-ldap sudo Architecture: source i386 Version: 1.6.8p12-2 Distribution: unstable Urgency: low Maintainer: Bdale Garbee <[EMAIL PROTECTED]> Changed-By: Bdale Garbee <[EMAIL PROTECTED]> Description: sudo - Provide limited super user privileges to specific users sudo-ldap - Provide limited super user privileges to specific users Closes: 161012 203874 220808 228551 292833 314949 315115 315718 346325 349085 349129 349196 349549 349587 349729 350776 354431 Changes: sudo (1.6.8p12-2) unstable; urgency=low . * fix typos in init scripts, closes: #346325 * update to debhelper compat level 5 * build depend on autotools-dev to ensure config.sub/guess are fresh * accept patch from Martin Schulze developed for 1.6.8p7-1.4 in stable, and use it here as well. Thanks to Martin and the debian-security team. closes: #349196, #349549, #349587, #349729, #349129, #350776, #349085 closes: #315115, #315718, #203874 * Non-maintainer upload by the Security Team * Reworked the former patch to limit environment variables from being passed through, set env_reset as default instead [sudo.c, env.c, sudoers.pod, Bug#342948, CVE-2005-4158] * env_reset is now set by default * env_reset will preserve only HOME, LOGNAME, PATH, SHELL, TERM, DISPLAY, XAUTHORITY, XAUTHORIZATION, LANG, LANGUAGE, LC_*, and USER (in addition to the SUDO_* variables) * Rebuild sudoers.man.in from the POD file * Added README.Debian * patch from Alexander Zangerl to fix duplicated PATH issue, closes: #354431 * simplify rules file by using more of Makefile, despite having to override default directories with more arguments to configure, closes: #292833 * update sudo man page to reflect use of SECURE_PATH, closes: #228551 * inconsistencies in sudoers man page resolved, closes: #220808, #161012 * patch from Jeroen van Wolffelaar to improve behavior when FQDNs are unresolveable (requires adding bison as build dep), closes: #314949 Files: 73d77951ae86e88e906d28d0f94abb33 615 admin optional sudo_1.6.8p12-2.dsc b3205e53c871e64824c6b338c9fa8a35 33108 admin optional sudo_1.6.8p12-2.diff.gz 22698e7f33a3f7179ec3ab59d24e4fec 161506 admin optional sudo_1.6.8p12-2_i386.deb d2418ccc65a98154b15c7b3c1342462b 173910 admin optional sudo-ldap_1.6.8p12-2_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEMEhZZKfAp/LPAagRAkw0AJwJq5L7amKiN48J0ldHRH3Sv29yFACbBi1b LP3jMinYQ8qNMfE81BL1G9U= =NSf8 -----END PGP SIGNATURE-----
--- End Message ---
